Precision Sees Through Cyberbreach Smokescreen and Thwarts a Ransomware Attack

Cyberbreach forensic analysis: Fearing the worst, a major technology company turned to Precision and averted a ransomware attack

Recently, Precision published a client success story in which my Precision Forensics team was called in to help investigate a cyberbreach at a major U.S. technology company. You can read the nicely-produced two-page version of that client success story here, but I thought some of you might be interested in hearing a few more details that didn’t make the cut for the two-page version.

Besides being a fascinating story unto itself, what struck me is that Computer Forensics isn’t always just about preserving evidence or identifying individuals who created, copied or deleted files. We can apply the same skills and technologies to a broader range of uses for our clients – in an investigative manner and in this case, to help them protect their sensitive network resources including sensitive data.

The Challenge

In the wee hours of the morning, the Network Operations Center (NOC) of a major U.S. technology company detected unusually high CPU usage in one of the 1000+ networks and systems it monitors. NOC personnel alerted the company’s Security Operations Center (SOC) group, which immediately deployed an incident response team to investigate. The team was kept small and confidential because of the possibility that this was an insider attack.

The team began its investigation and quickly discovered Bitcoin “mining” software running on the affected network.

Bitcoin is a digital currency that is “mined” to “unlock” new coins, which are protected with a highly sophisticated encryption algorithm – a virtual digital padlock with trillions of possible keys. Mining each Bitcoin requires a substantial amount of computing power to crack through the encryption to find a valid key. With a typical desktop or laptop computer, it could take over a thousand years to unlock a single coin. And so Bitcoin miners often try to co-opt the resources of large and powerful computer networks to reduce the duration to an achievable timeframe.

Soon thereafter, the same mining software appeared on another network within the company. The company assumed that this must be in an inside job. It had the look and feel of an employee deploying Bitcoin mining software on company hardware to make a few extra bucks. It made sense. The company has exactly the kind of high-powered computing environment that Bitcoin miners desire.

However, two days later, the mining software spread across multiple networks within the organization – far beyond what a single employee should be able to access. Fearing that the threat was larger and more sophisticated than initially believed, the company engaged Precision Discovery’s forensic and security experts to ascertain the root cause of the incident and assess the exposure to the company and its data.

The Precision Solution

Precision deployed a team with over 20 years of experience to perform a comprehensive forensic analysis. The team used a suite of forensics strategies and tools throughout the investigation process to determine the cause of the security breach and prevent its spread to other networks.

We started by carefully preserving and analyzing all data and system information as well as live network traffic from one of the affected networks, including but not limited to:

Network artifact recovery and analysis

In depth Internet Traffic and Packet Capture (PCAP) analysis

System and Security Event Log analysis

Library (e.g. DLL) and RAM analysis

Forensic examination of traces of how/when/where the mining software appeared and what it affected.

Our analysis revealed something unexpected: suspicious connections to and from various foreign nations into the company’s network. This was no insider attack.

Hackers from foreign countries had discovered an open, unsecured port in the company’s domain controller, which is used to handle authentication requests (i.e. logging in) by network administrators. The hackers were able to exploit this open port to gain unrestricted access to the domain controller and perform brute force attacks on administrator accounts – trying millions of potential passwords until they discovered one that worked. Once logged in as an administrator, they could access the company’s internal networks without being detected.

Perhaps more surprisingly, we discovered that the Bitcoin mining software was merely a diversion. As we continued to investigate, we found that the hackers had installed Crysis Ransomware, a particularly malicious type of software designed to encrypt a computer system’s data. This prevents the company from accessing the data until they pay a large sum of money to the hackers, who then presumably release the key that decrypts the data.

Once we were able to identify the specific type of ransomware, the client’s security team was able use decryption tools to undo the damage without having to pay the ransom.

Another concern was that the hackers could potentially exploit the data in other ways such as exposing customers’ personal information. Fortunately, we were able to determine that the ransomware had collected confidential internal data, but no personally identifiable information (PII) about the company’s customers had been compromised – a huge sigh of relief for our client.

The Results

While our computer forensic capabilities are typically used to help in legal matters – preserving or recovering evidence, identifying individuals who created, copied or deleted documents, etc. – this same expertise can be applied in a wide variety of circumstances to help our clients understand how their computer systems and networks are being used – or misused.

In this case, Precision’s forensic analysis helped our client triage the incident and limit its impact. We helped the client understand its exposure and provided security recommendations to prevent further breaches. With advice from our experts, the company started a security campaign to identify and close security holes.

From this incident, we learned that no matter how sophisticated or fully equipped a company may be, no one is immune from cyber threats and vigilance is required at all times.

Anand R. DaHarry, Senior Director of Discovery Solutions

Anand R. DaHarry, Senior Director of Discovery Solutions at Precision Discovery, He works deep in the trenches with his clients to formulate the best business practice approach and discovery solutions to their complex litigation cases, government investigations and cyber data breaches in a consultative manner. He loves deep sea fishing and grilling-out with family & friends in the great sunshine state beach parks. He can be reached at adaharry@precisiondiscovery.com.